SCM732e0fdad721472b83deb40246cb7dbd

Monitor_SCM732e0fdad721472b83deb40246cb7dbd (UnitMonitor)

This policy setting controls the behavior of the elevation prompt for standard users.

Knowledge Base article:

External

http://go.microsoft.com/fwlink/?LinkId=243138

Element properties:

Target

Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security

Parent Monitor

System.Health.ConfigurationState

Category

Alert

Enabled

True

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

Microsoft.KnowledgeServices.Library.PowerShellMonitorEx

Remotable

True

Accessibility

Public

Alert Message

User Account Control: Behavior of the elevation prompt for standard users

<Details>
<Content>This policy setting controls the behavior of the elevation prompt for standard users. The options are: Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. Prompt for credentials on the secure desktop: (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

Consideration:
One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run.

Impact:
Users will need to provide administrative passwords to be able to run programs with elevated privileges. This could cause an increased load on IT staff while the programs that are impacted are identified and standard operating procedures are modified to support least privilege operations.

Recommendation:
Configure the User Account Control: Behavior of the elevation prompt for standard users to Automatically deny elevation requests. This setting will require the user to login with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator level accounts, then the Prompt for credentials setting is recommended so that the users will not choose to always log in with their administrator accounts and will shift their behavior to using the standard user account.

Group Policy Path:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users</Content>
<CollectedInformation>
<Info>
<Name>Recommended Value</Name>
<Value>Prompt for credentials</Value>
</Info>
<Info>
<Name>Actual Value</Name>
<Value>{0}</Value>
</Info>
</CollectedInformation>
</Details>

RunAs

Default

Comment

SupportTopic=TBD;VersionNumber=1.0.0.1;

Source Code:

<UnitMonitor ID="Monitor_SCM732e0fdad721472b83deb40246cb7dbd" Comment="SupportTopic=TBD;VersionNumber=1.0.0.1;" Accessibility="Public" Enabled="true" Target="MicrosoftKnowledgeServicesSCMLibrary!Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="KnowledgeServicesLibrary!Microsoft.KnowledgeServices.Library.PowerShellMonitorEx" ConfirmDelivery="true">

  <Category>Alert</Category>

  <AlertSettings AlertMessage="MonitorMessage732e0fdad721472b83deb40246cb7dbd">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/Property[@Name='ActualValue']$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>

    <OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Error"/>

  </OperationalStates>

  <Configuration>

    <ScriptName>SCM732e0fdad721472b83deb40246cb7dbd.ps1</ScriptName>

    <Parameters>

      <Parameter>

        <Name>ActualValue</Name>

        <Value>$Target/Property[Type="MicrosoftKnowledgeServicesSCMLibrary!Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security"]/UserAccountControlBehavioroftheelevationpromptforstandardusers$</Value>

      </Parameter>

    </Parameters>

    <ScriptBody><Script>





param($ActualValue)



$ErrorActionPreference = "Stop"



# Set up the arguments

$scriptargs = new-object psobject

$scriptargs | add-member NoteProperty "ActualValue" $ActualValue



# Set up the output

$global:scriptoutput = new-object psobject

$scriptoutput | add-member NoteProperty "ActualValue" ""

$unit = $null

$valueToFriendlyName = $null

$valueToFriendlyName += @{"" = "[Setting Not Present]"}

$valueToFriendlyName += @{"3" = "Prompt for credentials"}

$valueToFriendlyName += @{"0" = "Automatically deny elevation requests"}

$valueToFriendlyName += @{"1" = "Prompt for credentials on the secure desktop"}



function AdvisorRule($scriptargs, $scriptoutput)

{

	$ActualValue = $scriptargs.ActualValue



	if ($unit -ne $null)

	{

		$scriptoutput.ActualValue = $ActualValue + $unit

	}

	else

	{

		$scriptoutput.ActualValue = $valueToFriendlyName.$ActualValue

	}

}



AdvisorRule $scriptargs $scriptoutput



# set the output

$mom = new-object -comobject "MOM.ScriptAPI"

$bag = $mom.CreatePropertyBag()



if ($scriptoutput.ActualValue -ne $null)

{

	$bag.AddValue("ActualValue", $scriptoutput.ActualValue)

}



$bag



</Script></ScriptBody>

    <SnapIns/>

    <TimeoutSeconds>300</TimeoutSeconds>

    <Schedule>14403</Schedule>

    <ErrorExpression>

      <SimpleExpression>

        <ValueExpression>

          <Value Type="Integer">$Target/Property[Type="MicrosoftKnowledgeServicesSCMLibrary!Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security"]/UserAccountControlBehavioroftheelevationpromptforstandardusers$</Value>

        </ValueExpression>

        <Operator>NotEqual</Operator>

        <ValueExpression>

          <Value Type="Integer">3</Value>

        </ValueExpression>

      </SimpleExpression>

    </ErrorExpression>

    <SuccessExpression>

      <Not>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <Value Type="Integer">$Target/Property[Type="MicrosoftKnowledgeServicesSCMLibrary!Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security"]/UserAccountControlBehavioroftheelevationpromptforstandardusers$</Value>

            </ValueExpression>

            <Operator>NotEqual</Operator>

            <ValueExpression>

              <Value Type="Integer">3</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </Not>

    </SuccessExpression>

  </Configuration>

</UnitMonitor>